At present, many internal networks, such as Local Area Networks (LAN), intranets, or the like, are connected to a wide area network such as the Internet. A plurality of geographically separated internal networks may be connected to each other over a wide area network using a communication technology such as a Virtual Private Network (VPN).
For security purposes, a firewall (including so-called proxy server) may be installed at the boundary between an internal network and a wide area network. Some firewalls may perform layer 7 (application layer) protocol processing for inspecting the contents of communication in order to detect viruses or confidential information. However, a firewall that performs higher layer protocol processing is likely to suffer from an increased workload. In addition, if a single firewall is used to collectively inspect the communication of a large scale internal network, the workload of the firewall increases, which causes a long communication delay.
There has been proposed a router that makes a reverse Domain Name System (DNS) query to obtain a domain name for the Internet Protocol (IP) address of a packet and routes the packet on the basis of the obtained domain name and with reference to a domain name routing table. In addition, there has also been proposed a load balancer that forwards packets whose IP addresses are registered in a white list, to a white list dedicated server, and forwards packets whose IP addresses are not registered in the white list, to a normal server.
Please see, for example, Japanese Laid-open Patent Publications Nos. 2005-223449 and 2010-45617.
By the way, among services that are provided over a wide area network, there are highly authoritative services, such as well-known Web search services, update services of well-known software vendors, or the like. To reduce the workload for inspecting communication, there is considered a method of transmitting packets related to authoritative services and the other packets through different transmission paths (for example, in such a way that the former packets bypass a firewall and the latter packets pass through the firewall). However, there arises a problem about how to implement such control of transmission paths using a communication apparatus.
For example, there are some services in which accesses from clients are dynamically redirected to cache servers. In these services, it is difficult to identify which cache servers are used in each service in advance and, therefore, to determine based on a lower layer address (for example, IP address) included in each packet whether the packet is related to an authoritative service or not.
In addition, an organization that provides a service and an organization that runs a corresponding cache server may be different. In this case, even if a reverse query is used to resolve a lower layer address included in each packet to a higher layer address (for example, a host name including a domain name), the domain of the higher layer address just indicates the organization that runs the cache server. Therefore, it is also difficult to determine the authenticity of the service on the basis of the result of the reverse query.
Further, there is considered a method in which a communication apparatus that distributes packets performs higher layer protocol processing (for example, layer-7 Hypertext Transfer Protocol (HTTP) processing) to extract an original higher layer address from the contents of a packet. This method, however, needs a sophisticated communication apparatus and therefore is disadvantageous in terms of cost and workload.